The ongoing revision of ISO 31000

Risk management is one of the core topics in Governance

Prof. Brühwiler has been involved with ISO 31000 since its very beginning in 2005 when ISO TMB (Technical Management Board) established a working group which was asked to write ISO 31000. This working group later became the Project Committee to develop guidance on the implementation of ISO 31000 and was converted in August 2012 into ISO/TC 262. He was actively engaged in Austria’s creation of their standards in risk management and published some renowned books on risk management, the latest being the fourth edition of »Risikomanagement als Führungsaufgabe« published in July 2016. At the Chicago meeting of TC 262 in September 2013 Bruno was confirmed as convenor of ISO/TC 262/WG 2.

Bruno, you have been the convenor of TC 262’s working group 2 for more than three years now, we know quite a lot about the group’s work and obstacles but not too much is known about you – can you please tell us about your background?

Bruno Brühwiler: The background of my risk management activities were my studies in business administration at the Saint Gall and Zurich Universities. My first business environment was the commercial insurance industry. In parallel I was writing my academic thesis on risk management.

Where did you start your career and what triggered you to venture into risk management?

Bruno Brühwiler: My challenging first job in my very young career was to be a risk management expert in one of the leading Swiss industries. At the time risk management was especially known from the insurance perspective. I had a wonderful opportunity to enter into the real risk management world such as product liability, accident and fire prevention, business interruption risks (today BCM), IT security and other fields. The industries comprised machinery, automotive, medical devices, aviation and others. My wonderful experience makes me remember the first recall insurance policy in Switzerland that I created.

I continued my career for many years within the Swiss Re group. 20 years ago, I needed a new challenge and set up my own company "Euro Risk Limited". With about 10 Partners we focus consequently on risk management consulting and training.

Bruno Brühwiler: I never planned in my career to enter into risk management in hospitals. But as patient safety is one of the very big issues of risk management in our time I was invited in 2005 to develop risk management consulting and training schemes in Switzerland and Austria. In the meantime, I did many training activities in the most important hospital groups in Austria, followed now also by Germany. During the last years I have been involved in the training and certification of about 2500 risk managers, among them top managers, doctors, leading nurses, engineers, lawyers and others from all kind of industries and services, but especially from hospitals. In these figures, my teaching activities at several universities is not included.

What have been the highlights and what has been more disappointing in risk management in general for you?

Bruno Brühwiler: The highlights of risk management can be allocated in two different areas. Operational risk management opens an access to all industrial and service related activities of all kind of enterprises, from small to multinational. A very different challenge is enterprise risk management where business strategy plays the central role and risks are putting into question the long-term business strategy. This is pure and high-level management.

I was during my long career never disappointed in risk management. But I was sometimes concerned about some people that believe to have risk management skills with very little background. They confused the risk management audience with too simple views. Risk management is much more complex than some people think.

What was your biggest challenge as the Convenor of ISO/TC 262 WG 2?

Bruno Brühwiler: The challenge of the convenor is bringing together the experts from all parts and cultures of our globe into a structured discussion on risk management. Building consensus which is the core intent of ISO work is very difficult in such an abstract and challenging area like risk management represents.

Another challenge is more an organizational one: Structuring meetings with 50 experts with around 1000 comments is not an easy task. We succeeded more and more with our working techniques to handle complex discussions.

ISO 31000 is one of the bestselling and most widely recognized standards in ISO. What do you think about the future of the standard and how will it change to adapt new challenges?

Bruno Brühwiler: The 2009 version of ISO 31000 was already a high standing document. There is a worldwide need for a generic risk management philosophy. The actual revision takes into account the value of the previous version but provides many improvements, especially in preciseness and language. The new version is much shorter than the first one. I consider this as a big advantage. The management duties of today are more and more complex; we contribute with our standard to simplification, without losing substance or content. And risk management remains in the future one of the core topics in Governance.

In your personal perception, what are the biggest obstacles for integrating risk management in all organizational activities – an essential principle of ISO 31000 – for managers globally?

Bruno Brühwiler: I have done more than 400 risk management projects in the last years. I always was engaged by management, worked with senior management and I did never observe direct obstacles to risk management. But there are hidden obstacles: Risk perception is very difficult. Sometimes managers are not aware or are not ready to recognize risks because they hinder an organization to achieve their ambitious strategic objectives. In my experience, the issue in risk management is not so much risk appetite (there the risk is known), but risk perception (there the risk is not identified). Integration is not a real problem for management, failing perception is much more important for mismanagement. It has to do with human and management failures. We have just to look at the disasters and crises which have occurred in the last ten years.

The DIS of the revised standard was approved by a clear 88 % majority of voting P-Members. Nevertheless, nearly 800 comments were sent in and had to be dealt with at the WG 2 meeting in Sunnyvale. How did you cope with this amount of comments and what will be the next steps in the revision?

Bruno Brühwiler: The approval of 88 % is the result of the high consensus that we achieved with our work. However, I was surprised on the amount of comments in the DIS phase of our revision. Dealing with this amount of comments requires first of all preparing and organizing the meeting in advance, support during the meeting by the secretary and the key people of the working group who were in this case the Task Group Leaders. Secondly the convenor has to be flexible and to adapt the working program according to the development of discussions.

The next steps in the revision of ISO 31000 is final editorial work. An editorial team has been determined by the TC. This team will seek to finalize the FDIS in July 2017 and hand it over to the TC and to ISO. A translation in French will be done and after a final check by ISO the FDIS is sent to the National Standardization Bodies for ballot within 8 weeks. I expect publication at the end of the year 2017 or early 2018.

What advice can you give to interested parties globally who want to offer their input to the work of ISO/TC 262 and who should they address?

Bruno Brühwiler: Interested parties should contact their national standardization body (NSB) and ask for the relevant mirror committee to TC 262. They should contact this mirror committee and decide whether they are able to become a member. This committee will comment and vote on drafts and nominate experts for the working groups and send delegates to TC meetings. Interested parties will find the list of P-Members (participating members) and O-members (observing members) on the ISO Website with links to their NSBs. Alternatively, they can check with one of the organizations in liaisons also listed on the Website.